Facebook is buying up stolen passwords on the black market

Facebook shops for passwords sold on the online black market, buying up credentials from crooks to sniff out which ones its users are reusing, Chief Security Officer Alex Stamos said at the Web Summit in Lisbon on Wednesday.

CNET quoted Stamos:

The reuse of passwords is the No. 1 cause of harm on the internet.

Facebook is reportedly cross-referencing the passwords against users’ password hashes to see if they hit a match. Stamos said the work is “computationally heavy” but that it’s resulted in Facebook alerting tens of millions of users to beef up their passwords.

We already knew that Facebook checks user credentials against caches of stolen logins posted online.

That came to light after the 2013 Adobe breach, when Facebook’s security team was mining the leaked data to find users who committed the egregious security sin of using the same password to login to both Facebook and Adobe.

Once it found matches, Facebook locked the users in a closet, tucking the accounts out of the public eye until the account owners had changed their passwords.

At the time, many people wondered how Facebook was able to find password reusers without storing their passwords in clear text or some other unencrypted, or poorly encrypted, fashion. Some may pose the same question with regards to Facebook’s black-market password shopping.

We’ll reiterate what we said back in 2013 with the Adobe Breach: Facebook doesn’t have to do anything Big-Brotherish with data mining.

Chris Long, a security incident response manager at Facebook, gave this explanation at the time:

We used the plaintext passwords that had already been worked out by researchers. We took those recovered plaintext passwords and ran them through the same code that we use to check your password at login time.

In simple terms, Facebook doesn’t store users’ passwords. Rather, it passes them through one-way hashing functions and stores the result.

It can do that because passwords can be used to create hashes, but the reverse isn’t true: hashes can’t be used to recreate the passwords that made them.

When somebody logs in to Facebook, the password they hand over is passed through a one-way hashing function. If the result matches what Facebook has on record, that user is allowed in.

Facebook used the same process on passwords that researchers recovered from the Adobe data. Ditto for passwords it purchases on the black market: if a recovered password that Facebook passes through the company’s hashing function matches what the company has on record for that user, Facebook knows it’s hit on a password reuser.

But while it’s old news that Facebook (thankfully!) protects users in this manner, we didn’t know it was paying crooks to do it.

That’s a revelation, though it makes sense if you think about it: how else would Facebook get the passwords?

Still, it raises interesting ethical questions. Does good, preventative password hygiene make it right to subsidize cyber crooks?

It could be compared to paying ransomware, and that’s one thing that law enforcement has vigorously tried to talk victims out of.

In fact, in July, the Dutch National Police and Europol launched a portal called No More Ransom, aimed at helping victims to recover data without having to pay ransom to crooks who could, for all you know, just try to gouge you for more money a second time, or a third time, or… well, you get the idea.

What will those law enforcement agencies think about Facebook putting money in crooks’ pockets? What should they think, given that it’s being done to protect users from all manner of threats – including malware such as ransomware?

Please tell us what you think in the comments section below.

And if you need an alternative to reusing the same passwords on different sites, we’ve got you covered. Here’s why we think you should consider using a password manager, and below is a short, sweet video showing you how to cook up the one brawny password you’ll need to lock up that password manager.